Chief Editor

Security checks across malware telemetry and agentic risk

Overview

This editor skill is not clearly malicious, but it gives user-supplied templates unsafe authority over system instructions and can automatically read sources, scrape links, and delegate content to multiple model tools.

Install only if you are comfortable with this skill reading provided files, fetching links from those files, and possibly sending content to several model tools. The publisher should remove the language that lets user templates override system instructions and add explicit confirmation before URL scraping or multi-provider delegation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill presents itself as a simple chief-editor capability, but its embedded workflow authorizes much broader actions: reading all attachments, querying the knowledge base, scraping up to five URLs, orchestrating multiple external model tools, and mandating result submission. This mismatch increases the risk of over-broad tool use, data exfiltration, and unintended autonomous behavior because users and calling systems may invoke it under the assumption it only performs editorial assistance.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill uses a very broad invocation description and lacks clear boundaries for when it should or should not activate. In practice, this can cause the agent to inappropriately assume authority to retrieve documents, scrape links, and submit outputs in contexts where such actions were not explicitly requested, increasing prompt-injection and overreach risk.

Ssd 1

High

Confidence: 99% confidence
Finding: The skill explicitly states that user-provided personalized preferences take highest priority over system instructions. This creates a direct prompt-injection channel where untrusted template content can override safety, policy, and tool-use constraints, potentially coercing the agent into unsafe retrieval, disclosure, or action execution.

Ssd 1

High

Confidence: 99% confidence
Finding: The same hierarchy inversion is repeated in the main instructions, creating a second independent injection path. Repetition makes the unsafe precedence more likely to survive partial edits or prompt wrapping and increases the chance that malicious user-controlled template content will dominate the agent's behavior across the workflow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal